Help Center/ Data Encryption Workshop/ User Guide/ Key Management Service/ Managing Keys/ Creating a Grant for a Custom Key
Updated on 2025-09-15 GMT+08:00
View PDF
Share

Creating a Grant for a Custom Key

You can create grants for other IAM users or accounts to use the custom key. You can create a maximum of 100 grants on a custom key.

Prerequisites

  • You have obtained the ID of the grantee (user to whom permissions are to be authorized).
    • User ID: To obtain the user ID, hover the cursor over the username in the upper right corner, and choose My Credentials. On the displayed API Credentials page, obtain the IAM user ID.
    • Account ID: To obtain the account ID, hover the cursor over the username in the upper right corner, and choose My Credentials. On the displayed API Credentials page, obtain the account ID.
  • The custom key is in the Enabled state.

Constraints

  • The owner of a custom key can create a grant for the custom key on the KMS console or by calling APIs. The IAM users or accounts who have the grant creation permission assigned by the owner of the custom key can create grants for the custom key only by calling APIs.
  • A maximum of 100 grants can be created for a custom key.

Creating a Grant for a Custom Key

  1. Log in to the DEW console.
  2. Click in the upper left corner and select a region or project.
  3. Click the name of the target custom key to go to its details page and create a grant on it.
  4. Click the Grants tab.
  5. Click Create Grant. The Create Grant dialog box is displayed.

    Figure 1 Creating a grant (for a user)
    Figure 2 Creating a grant (for an account)

  6. In the displayed dialog box, enter the ID of the target user and select permissions to be granted. For details, see Table 1.

    A grantee can perform the authorized operations only by calling the necessary APIs. For details, see Data Encryption Workshop API Reference.

    Table 1 Parameters for creating a grant

    Parameter

    Description

    Example Value

    User or Account

    Whether a user or an account is granted.

    • User

      User ID: To obtain the user ID, hover the cursor over the username in the upper right corner, and choose My Credentials. On the displayed API Credentials page, obtain the IAM user ID.

      After the grant is created, the IAM user can use the specified keys.

    • Account

      Account ID: To obtain the account ID, hover the cursor over the username in the upper right corner, and choose My Credentials. On the displayed API Credentials page, obtain the account ID.

      After the grant is created, all IAM users under the account can use the specified keys.

    d9a6b2bdaedd4ba586cabe6372d1b312

    Name

    You can name the grant.

    NOTE:
    • You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).

    test

    Granted Operations

    The allowed grants are shown below.

    NOTE:
    • You can create multiple grants on a custom key to provide different permissions to the same user. The user's permissions on the custom key are the combination of all the grants.
    • This parameter cannot be left blank.
    • Selecting only Create Grant is not allowed.
    • Create Data Key Without Plaintext
    • Create Data Key
    • Encrypt Data Key
    • Decrypt Data Key
    • Query Key Details
    • Create Grant
    • Retire Grant
      • A grantee can retire a grant if the grantee does not need that permission.
      • If, before retiring a grant, the grantee has granted the permission to another user, that user's permission will not be affected by the grant retirement.
    • Encrypt Data
    • Decrypt Data

    You can select multiple grants. The following grants can be created for all keys:

    • Query Key Details
    • Create Grant
    • Retire Grant

    For details about how to authorize a key algorithm, see Table 2.

    -
    Table 2 Granting operations

    Key Algorithm

    Key Type

    Usage

    Granted Operations
    • AES_256

    Symmetric key

    ENCRYPT_DECRYPT
    • Create Data Key Without Plaintext
    • Create Data Key
    • Encrypt Data Key
    • Decrypt Data Key
    • Encrypt Data
    • Decrypt Data
    • Create Data Key Pair
    • RSA_2048
    • RSA_3072
    • RSA_4096
    • EC_P256
    • EC_P384

    Asymmetric key

    SIGN_VERIFY
    • Query a public key
    • Signature
    • Signature verification
    • RSA_2048
    • RSA_3072
    • RSA_4096

    Asymmetric key

    ENCRYPT_DECRYPT
    • Query a public key
    • Encrypt Data
    • Decrypt Data
    • HMAC_256
    • HMAC_384
    • HMAC_512

    Digest key

    GENERATE_VERIFY_MAC
    • Generate HMAC
    • Verify HMAC

  7. Click OK. When message Grant created successfully is displayed in the upper right corner, the grant has been created.

    In the list of grants, you can view the grant name, grant type, grantee ID, granted operation, and creation time of the grant.

Querying a Grant

You can view the details about a custom key grant on the KMS console, such as the grant ID, grantee user ID, granted operation, and creation time.

  1. Click the target custom key alias to access its details page.
  2. Click the Grants tab to view the grants created for the custom key. Table 3 describes the parameters.

    Table 3 Parameters

    Parameter

    Description

    Grant Name

    Name of the grant when created

    Grantee ID

    ID of the authorized user or account.

    Granted To

    Whether permissions are granted to a user or account.

    Operations

    Authorized operations (such as Create Data Key) on the custom key

    Creation Time

    Time when the grant is created

  3. Click the target grant, the grant details are displayed on the right, as shown in Figure 3.

    Figure 3 Viewing grant details

Revoking a Grant

You can revoke a grant on the KMS console in either of the following scenarios:

  • A grantee does not need the custom key grant. (The grantee can either tell the user who has created the grant to revoke the grant or call the necessary API to revoke the grant directly.)
  • You do not want the grantee to have the grant.

When a grant is revoked, the grantee does not have the corresponding permission anymore. However, if the grantee has created the same grant to another user, permission of that user will not be affected.

  1. Click the target custom key alias to access its details page.
  2. In the Grants tab, locate the target grant and click Revoke Grant in the Operation column.
  3. Enter DELETE in the confirmation dialog box and click OK if verification is not enabled.

    If you have enabled deletion verification, select a verification mode, click Get Code, enter the code, and click OK.

    To disable operation protection, go to the Security Settings page, click Disable next to Operation Protection in the Critical Operations tab, or click Disable Operation Protection on the deletion page.

Editing a Grant

After you create a grant for an account or IAM user, you can edit the grant to change their operation permissions.

  1. Click the target custom key alias to access its details page.
  2. In the Grants tab, locate the target grant, click Edit in the Operation column, and select the granted operations to be edited, as shown in Figure 4.

    Figure 4 Editing a grant

  3. Click OK.
Parent Topic: Managing Keys